From 685d598833bfeeb7d89a1a709f0e6dc84a263745 Mon Sep 17 00:00:00 2001 From: xerox Date: Sun, 26 Jul 2020 02:14:34 +0000 Subject: [PATCH] Update README.md --- README.md | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e9277d0..65b7cea 100644 --- a/README.md +++ b/README.md @@ -43,9 +43,31 @@ Registeration of APCS: # HWID -```cpp +BEDaisy opens a handle to DR0 (disk.sys). + +``` +02646022 190.98799133 [GoodEye]ZwOpenFile called from: 0xFFFFF804DEFDB904 +02646023 190.98799133 [GoodEye] - ZwOpenFile(\Device\Harddisk0\DR0) +02646024 190.98869324 [GoodEye] - ZwOpenFile handle result: 0xFFFFFFFF80003E28 +``` + +BEDaisy then sends a few IOCTL's to disk.sys using `ZwDeviceIoControlFile` +``` +02646049 190.99142456 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB94A +02646050 190.99143982 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28 +02646051 190.99143982 [GoodEye] - IoControlCode: 0x00000000002D1400 +02646052 190.99143982 [GoodEye] - OutputBufferLength: 0x0000000000000008 +02646053 190.99143982 [GoodEye] - InoutBufferLength: 0x000000000000000C + +02646059 190.99192810 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB960 +02646060 190.99192810 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28 +02646061 190.99192810 [GoodEye] - IoControlCode: 0x00000000002D1400 +02646062 190.99192810 [GoodEye] - OutputBufferLength: 0x0000000000000000 +02646063 190.99194336 [GoodEye] - InoutBufferLength: 0x000000000000000C + 02646072 190.99209595 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB9B1 02646073 190.99211121 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28 02646074 190.99211121 [GoodEye] - IoControlCode: 0x000000000007C088 02646075 190.99211121 [GoodEye] - OutputBufferLength: 0x0000000000000211 -02646076 190.99211121 [GoodEye] - InoutBufferLength: 0x0000000000000021 \ No newline at end of file +02646076 190.99211121 [GoodEye] - InoutBufferLength: 0x0000000000000021 +``` \ No newline at end of file